The General Data Protection Regulation (GDPR) has been published in the Official Journal of the EU after being finalised by EU law makers in April 2017.
The GDPR is an EU regulation which the UK Government has opted in to which means that it will be directly incorporated into the UK legal system as it stands and will apply from 25th May 2018.
While the principles are similar to those in the Data Protection Act (DPA) 1988, there are some additional requirements that UK companies need to be aware of.
Since the UK will still wish to trade with the EU post-Brexit it is likely that, one way or another, the provisions of GDPR will continue to apply regardless of the UK leaving the EU.
The GDPR requires employers to provide more in-depth information to individuals about the processing of their personal data including the purpose of the processing, the legal basis and the period for which the data will be retained.
Prior to giving consent to process personal data, the individual must be told they have a right to access, rectify, delete and restrict their personal data.
They should also be informed that they can object to processing, complain to the Information Commissioner’s Office (ICO) and withdraw consent at any time.
Organisations will be required to report personal data breaches to the ICO and maintain a breach register.
Organisations must demonstrate their compliance with GDPR principles.
Adopting certain protection measures such as policies, audits, and record keeping will mitigate risk.
The penalties that can be imposed depend on the severity of the breach. Fines can be up to £20,000,000 or 4 per cent of the organisation’s annual turnover. In addition data breaches often attract negative PR attention, putting the organisation’s reputation on the line.
Businesses need to make sure their systems protect privacy and contractual provisions are in place to ensure compliance and clarity exists throughout the organisation.
The new EU data regime will have an effect on all of the data your organisation processes about individuals. It is an employer’s responsibility to reduce the risk of breach.